Logo of Trend Micro

Enable Encryption in Transit

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: High (not acceptable risk)
Rule ID: AlibabaCloud-RDS-002

Ensure that encryption in transit is enabled for all SQL databases instances provisioned with Alibaba Cloud RDS in order to meet security and compliance requirements. The encryption feature forces all connections to PostgreSQL and MySQL database instances to use SSL. Once enabled, the data transport encryption and decryption is handled transparently and does not require any additional action from you or your application. Encryption in transit is disabled by default.

Security

When working with production and sensitive data, it is strongly recommended to enforce in-transit encryption in order to protect your RDS SQL databases from unauthorized access and fulfill compliance requirements for data encryption in your organization. For example, a compliance requirement is to protect sensitive data that could potentially identify a specific individual such as Personally Identifiable Information (PII), usually used in Financial Services, Healthcare, and Telecommunications sectors.

Audit

To determine if your RDS database instances are configured to enforce SSL for all incoming connections, perform the following operations:

Using Alibaba Cloud Console

01 Sign in to your Alibaba Cloud account.

02 Navigate to Relational Database Services (RDS) console at https://rdsnext.console.aliyun.com/dashboard.

03 In the left navigation panel, under ApsaraDB RDS, choose Instances.

04 Click on the ID (link) of the SQL database instance that you want to examine, listed in the Instance ID/Name column.

05 In the RDS resource navigation panel, choose Data Security to access the security configuration information available for the selected database instance. If Data Security is not listed in the instance menu, encryption in transit is not supported by the selected RDS database instance.

06 Check the SSL Encryption configuration setting available in the SSL Settings section to determine the encryption feature status. If the SSL Encryption setting is set to Disabled, encryption in transit is not enabled for the selected Alibaba Cloud RDS database instance.

07 Repeat steps no. 4 – 6 for each database instance provisioned in your Alibaba Cloud account.

Using Alibaba Cloud CLI

01 Run DescribeDBInstances command (OSX/Linux/UNIX) with custom output filters to list the ID of each RDS database instance available within your Alibaba Cloud account: 

aliyun rds DescribeDBInstances 
  --output cols=DBInstanceId

02 The command output should return a list with the requested database instance identifiers: 

DBInstanceId
------------
rm-abcd1234abcd1234
rm-1234abcd1234abcd

03 Run DescribeDBInstanceSSL command (OSX/Linux/UNIX) with the name of the RDS database instance that you want to examine as the identifier parameter, to describe the SSL configuration information available for the selected RDS instance: 

aliyun rds DescribeDBInstanceSSL 
  --DBInstanceId rm-abcd1234abcd1234

04 The command output should return the requested SSL configuration information: 

{
	"RequestId": "ABCDABCD-1234-ABCD-1234-ABCD1234ABCD",
	"RequireUpdate": "No",
	"SSLExpireTime": "",
	"SSLEnabled": "No",
	"RequireUpdateReason": "",
	"ConnectionString": ""
}

Check the "SSLEnabled" attribute value to determine the encryption feature status. If "SSLEnabled" is set to No, as shown in the example above, encryption in transit is not enabled for the selected Alibaba Cloud RDS database instance.

05 Repeat steps no. 3 and 4 for each database instance provisioned within your Alibaba Cloud account.

Remediation / Resolution

To enable encryption in transit for your Alibaba Cloud RDS database instances, perform the following operations:

Using Alibaba Cloud Console

01 Sign in to your Alibaba Cloud account.

02 Navigate to Relational Database Services (RDS) console at https://rdsnext.console.aliyun.com/dashboard.

03 In the left navigation panel, under ApsaraDB RDS, choose Instances.

04 Click on the ID (link) of the SQL database instance that you want to examine, listed in the Instance ID/Name column.

05 In the RDS resource navigation panel, choose Data Security to access the security configuration information available for the selected database instance. If Data Security is not listed in the instance menu, encryption in transit is not supported by the selected RDS database instance.

06 Select the SSL tab and turn on the SSL Encryption configuration setting to enable encryption in transit for the selected RDS database instance.

07 In the Configure SSL Encryption box, select the required protected endpoint, and choose OK to apply the configuration changes.

08 Choose Download CA Certificate to download the SSL certificate required for database connection. By verifying the server certificate with a trusted CA certificate during an SSL handshake, you can ensure that you are connecting to the legitimate RDS instance and not a compromised server.

09 Repeat steps no. 4 – 8 for each RDS database instance available in your Alibaba Cloud account.

Using Alibaba Cloud CLI

01 Run ModifyDBInstanceSSL command (OSX/Linux/UNIX) to enable encryption in transit for the selected RDS database instance. Set --ConnectionString parameter value to the internal or public database endpoint for which the server certificate needs to be created. The --ConnectionString parameter value has the following format: "[db-instance-id].[db-engine-type].[region-name].rds.aliyuncs.com": 

aliyun rds ModifyDBInstanceSSL 
  --DBInstanceId rm-abcd1234abcd1234 
  --ConnectionString "rm-abcd1234abcd1234.mysql.eu-west-1.rds.aliyuncs.com"

02 If successful, the output should return the command request ID: 

{"RequestId":"ABCDABCD-1234-ABCD-1234-ABCD1234ABCD"}

03 Run DescribeDBInstanceSSL command (OSX/Linux/UNIX) with the name of the modified RDS database instance as the identifier parameter, to describe the new SSL configuration information available for the specified instance, including the CA certificate (if the parameter is supported): 

aliyun rds DescribeDBInstanceSSL 
  --DBInstanceId rm-abcd1234abcd1234

04 The command output should return the new SSL configuration information: 

{
	"RequestId": "ABCDABCD-1234-ABCD-1234-ABCD1234ABCD",
	"RequireUpdate": "Yes",
	"SSLExpireTime": "2025-10-11T09:00:00Z",
	"SSLEnabled": "Yes",

	...

	"ConnectionString": "rm-abcd1234abcd1234.mysql.eu-west-1.rds.aliyuncs.com",
	"CAType": "aliyun",
	"ClientCACert": "-----BEGIN CERTIFICATE----- ABCD1234ABCD1234 -----END CERTIFICATE-----",
	"ServerKey": "-----BEGIN PRIVATE KEY----- 1234ABCD1234ABCD -----END PRIVATE KEY-----",
}

05 Repeat steps no. 1 - 5 for each RDS database instance available within your Alibaba Cloud account.

References

Publication date Feb 26, 2024

Related AlibabaCloud-RDS rules